Support lookup of intermediate ID for uidmapping and gidmapping in --userns=auto
#20827
Conversation
|
Ephemeral COPR build failed. @containers/packit-build please check. |
|
the build is failing |
kaivol
force-pushed
the
userns-auto-intermediate-id-lookup
branch
2 times, most recently
from
4b19bb4 to
a2793ae
Compare
…n userns=auto Closes containers#20699 Signed-off-by: kaivol <[email protected]>
kaivol
force-pushed
the
userns-auto-intermediate-id-lookup
branch
from
a2793ae to
d5cf46e
Compare
|
@giuseppe PTAL |
There was a problem hiding this comment.
code LGTM, but can we please add a system test?
You can add more tests along the lines of:
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
index 667648e5f..c4fcac3ed 100644
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@@ -147,3 +147,12 @@ EOF
is "${output}" "$user" "Container should run as the current user"
run_podman rmi -f $(pause_image)
}
+
+@test "podman userns=auto with id mapping" {
+ skip_if_not_rootless
+ run_podman unshare awk '{if(NR == 2){print $2}}' /proc/self/uid_map
+ first_id=$output
+ mapping=1:@$first_id:1
+ run_podman run --rm --userns=auto:uidmapping=$mapping $IMAGE awk '{if($1 == 1){print $2}}' /proc/self/uid_map
+ assert "$output" == 1
+}to run it, you can use the command:
$ PODMAN=bin/podman bats -f "podman userns=auto with id mapping" test/system/170-run-userns.bats
openshift-ci
bot
added
the
approved
...or, even quicker/safer/better: $ hack/bats 170:"auto with id mapping"Better for infinite reasons, among them: it runs as root & rootless, and does a lot of invisible setup. Also obviously much more friendly. |
Signed-off-by: kaivol <[email protected]>
|
Added system test as suggested by @giuseppe. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, kaivol The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
openshift-merge-bot
bot
merged commit 611ba2f
into
containers:main
|
This broke CI. |
Broken by containers#20827. Signed-off-by: Ed Santiago <[email protected]>
|
Just for my understanding, it was only the test that was erroneous, and that was fixed in #20979, right? |
|
@kaivol yes, absolutely. You did nothing wrong, and the problem is (I think) now fixed. I spoke hastily this morning because I was rushing to a commitment. I apologize for leaving you in suspense like that. Thank you again for your PR and your patience. |
github-actions
bot
added
the
locked - please file new issue/PR
In rootless mode, the host IDs in the
uidmappingandgidmappingoptions of--userns=autoare mapped from an intermediate namespace, just like when using the--uidmapand--gidmapoptions.This means that for a given host ID, the user first has to look up the intermediate ID manually.
The
--uidmapand--gidmapoptions also support prefixing the host ID in the mapping with the@symbol, which means that podman will look up the intermediate ID corresponding to the given host ID and it will map the found intermediate ID to the given container ID.This PR adds the functionality mentioned above to the
uidmappingandgidmappingoptions in--userns=auto.